Saturday, April 30, 2011

Password Too Simple - What to Do About It


Update June 15, 2013:
I stand by what I wrote here but please read as well my article "Passwords - The Latest".


Very recently a customer of mine asked me for help because a lot of obvious spam emails were sent from his Yahoo email account.

First we ensured that his computer was clean, that is that there was no virus software or the like running. We found and removed a few remnants of apparently earlier removed malware but nothing showed up currently running. I wanted to know more about where the emails truly came from and with help from a tech forum we established Guam as the geographical source.

And with help from the forum I realized that I had failed to give my customer the most obvious advice, that is to change his Yahoo password. LK, I apologize again for this dumb failure. Once the customer had changed the password the emails stopped immediately.

This proved beyond a doubt that his password had been guessed. This in turn reminded me of questions about passwords that I permanently discuss with my customers.

Tonight I stumbled over an article titled "The Usability of Passwords" that discusses password usability and security in depth but in understandable form and language. The latter truly is a positive exception.

In the future I will base recommendations about passwords on this article; it is the first time that I found anything written about passwords with respect of usability and security. Many other discussions in this area focus on technical aspects of security only and all too often ignore that a really secure password like 5rF#2kLn7@ simply is impossible to fully remember and type correctly.

Passwords are meant to secure and/or guarantee the privacy of our communications and data; correct? In this context I have to admit that the mentioning of Yahoo and/or Hotmail together with "privacy" always makes me cringe; "cringe" because I don't want to laugh deridingly about a customer who uses Yahoo, Hotmail, MSN, Earthlink, Gmail or any other email service that leaves the mails on the ISP's servers.

Why do I cringe? Read this article about data mining on Yahoo and this one about privacy on Hotmail as examples.

If all the articles I linked to here are too much reading that's fine. But please read and heed at least the article titled "The Usability of Passwords".

Thank you.
As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

No comments: